tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Improving security for pkgsrc

Hash: SHA1

			Hi pkgsrc developers,

while looking for ways to provide binary packages for EdgeBSD users in
line with the current state of the art, I found that there are some
low-hanging fruits up for grabs:;a=commitdiff;h=705b8

1. Building with stack smashing protection: (SSP)

  +_GCC_CFLAGS+=  -fstack-protector

This one is already described in NetBSD's build process; for a minor
performance penalty, the compiler will have a canary checked to be
present unmodified on a the stack, thereby helping with the mitigation
of stack-based buffer overflows.

Also note that it can easily be applied to other compilers as well
(including clang) and that some even implement this by default (like

2. Building position-independent code:

  +_GCC_LDFLAGS+= -Wl,-pie

This helps with ASLR, randomizing the location of the .bss, .data
sections as well as the heap, instead of only the stack and mapped
memory (which I confirmed on NetBSD/amd64). There is one issue
remaining with this though: linking with libraries built with
"-Wl,-pie" seems to fail. So effectively this flag should only be
applied to executables, as is already possible in NetBSD's build
process with the MKPIE option.

3. Linking with RELRO by default:

  +_GCC_LDFLAGS+= -Wl,-z,relro

I am less familiar with this one, which OpenBSD has been advocating
for a while now:
(and in some slides from theo)

I think OpenBSD's changes go much farther than just using this flag,
which should however be a good step already. The point is to mitigate
exploits injecting code within the ELF GOT and PLT tables, since they
are both writable and executable. I have confirmed that the program
table for binaries built with this option does contain an additional,
read-only entry - so this option does have an impact (NetBSD/amd64) -
and the resulting binaries still work for me.

Working on integration

This commit adds all those flags to CFLAGS and LDFLAGS, iff building
on NetBSD with gcc. It enables all three improvements by default as-is
(on this platform only). This is one reason it is not suitable for
inclusion yet, and I will welcome help to achieve it.

The first concern is obviously how to make it optional. Should I use
variables like USE_FORT/USE_SSP from mk.conf for SSP, or MKPIE for PIE
for instance, like when building NetBSD? And then MKRELRO or USE_RELRO?

I will also welcome suggestions to help fix the current issue building
PIE executables.

If there are NetBSD architectures known to not be supporting these
flags, then they should also be listed here; or the other way around
if they are a majority of course.

Similarly, I can use the information from the Wikipedia page about SSP
to extend support to other compilers (and to improve it on GCC as
well). I will welcome assistance on any additional platform.

Last but not least, I have similar patches ready for NetBSD's base syste

Let me know if any of those look good enough for NetBSD's base system,
or if they can already be discussed there as well.

- -- 
Version: GnuPG v1


Home | Main Index | Thread Index | Old Index